JPH0325502A - Dual controller - Google Patents

Abstract

PURPOSE:To easily manage continuation of dual operation or switching to single operation at the time of trouble of one system by selecting either of the method where a unit including a trouble module is disconnected from the system to keep the dual system in remaining device parts and the method where the system including the trouble module is disconnected to switch the dual system to the single system at the time of detecting trouble of the module. CONSTITUTION:If one input/output unit of a system A out of n-number of input/ output units 31, 32,... is out of order at the time of dual operation, a trouble unit substitution designating parameter of the system where trouble is detected is checked. When it is judged that substitutional use is possible, input data of the other normal system corresponding to the faulty input/output unit is used to continue the dual operation. When it is judged that substitutional use is impossible, the dual operation is switched to the single operation dependent on only the normal system. Thus, the trouble unit is disconnected to keep the dual operation or the dual operation is switched to the single operation by an easy method of parameter setting when one system is faulty.

Description

DETAILED DESCRIPTION OF THE INVENTION (Field of Industrial Application) The present invention relates to a redundant control device that applies a microprocessor and can be used as a power control device, for example, and particularly a redundant control device equipped with a countermeasure processing means in the event of a partial failure. Regarding.

(Prior art) Power control devices that control power systems have traditionally been required to have high reliability and high availability, and the components of the device may be multiplexed depending on the importance of the system. . FIG. 3 shows a redundant control device as an example of such a multiplexed power control device.

The redundant control device 1 shown in FIG.
First and second central processing units 2A, which consist of PU modules 4A, 4B and internal bus controllers 5A, 5B, are connected to each other via a synchronous bus 9.
, 2B. In addition, there are many unit inputs that function as input/output interfaces that input data from sensors that directly detect various processes in the plant and send operating signals to various actuators to control various process values in the plant. The input/output modules 71 and 72 consisting of the output module 7 and the central processing units 2A and 2B are connected via internal buses 8A and 8B, respectively, and 4'' data updates are executed between them and the input/output modules 71 and 72. input/output controller 6A1.6
A plurality of input/output units 31 and 32 (two sets in the figure) consisting of B1 to 6A2 and 6B2 are provided.

Note that the unit input/output module 7 and each of the input/output controllers 6A1, 6B1 to 6A2, and 6B2 are connected via I/O buses 101 and 102.

Duplication control, the scope of duplication of device 1 is ψ central processing units 2A, 2B, input/output controllers 6A1, 6B1 to 6A2, 6B2, and internal buses 8A, 8B.
It is said that A central processing unit 2A having a suffix A in the collar number, input/output controllers 6A1 to 6A2,
For convenience, the internal bus 8A system is referred to as the A system,
Furthermore, for convenience, the system including the central processing unit 2B, input/output controllers 6B1 and 6B2, and internal bus 8B having the suffix B will be referred to as the B system.

In order to prevent erroneous output to the plant, duplication operates in dual mode when both systems are healthy, that is, in a mode in which output is performed if data matches. Data comparison is performed between the input/output controllers 6A1, 6B1 to 6A2, 6B2 of both the A and B systems.

In dual operation, data input/output is performed when the data of both systems match, so plant operation safety is high, but if one system's ψ center calculation unit 1 or input/output controller fails, dual operation become unable to maintain. Improving equipment operation is also a major requirement for plant operation, and as a result of mutual diagnosis, healthy systems have the ability to disconnect faulty systems, interrupt duplication, and shift to independent operation of only healthy systems.

By the way, in the redundant control device used as a recent power control device, an internal bus 8A is installed as shown in Fig.
, 8B to execute auxiliary calculation or control the management of the internal buses 8A, 8B, and an internal bus controller 15A,
An auxiliary arithmetic unit 12 consisting of 15B may be provided to perform part of the arithmetic operations of the central arithmetic units 2A and 2B, or a communication unit (not shown) for data transmission with other devices may be connected thereto. Sometimes I do.

The input/output units 31 and 32 may also be provided as optional signal monitoring units that are not particularly required for plant control.

With conventional technology, even in the event of a failure in one system of an optional unit or a unit that emphasizes availability in a redundant system, redundant operation is canceled and only the non-faulty system is switched to independent operation. was.

(Problem to be solved by the invention) If an optional unit fails during plant operation and redundant operation of the control device can be continued even if it is excluded, for example, in a plant that was not previously monitored. It would be convenient for operation if it could be monitored with information, but it is possible to use signals that are more important for operation due to a failure of an input/output unit that can be operated without it, or a single failure of an input/output unit that emphasizes operation rate. If the input/output unit that handles the is in good condition, or if the minimum necessary operation is possible without the auxiliary processing unit, local processing can be performed without online operation with the host system via the communication unit. In cases where it is completely possible, simply shifting from redundant operation to single operation is not safe for safe driving.
The problem persists.

The present invention was made in consideration of the above-mentioned T1f situation, and when faced with a partial failure of a device other than the central processing unit, it continues redundant operation as much as possible depending on the importance of that unit, and if it becomes impossible. Therefore, it is an object of the present invention to provide a duplex control device that can continue single-system operation as much as possible.

[Structure of the invention]

(Means for Solving the Problems) First, the present invention consists of a microprocessor, a memory, an internal bus controller, etc., and an arithmetic unit that manages and executes the entire calculation and control, and a It is configured to include an internal bus, a plurality of input/output units consisting of an input/output module as an input/output interface with the plant, and an input/output controller that manages the input/output module, and includes at least a calculation unit and an internal bus. In a duplex control device in which input/output controllers are duplexed to form two systems, a module failure detection means detects a module failure in the device, and when a module failure is detected by the module failure detection means,
The system is characterized by having a selection stage for selecting whether to disconnect the unit containing the faulty module from the system and maintain a dual system in the remaining equipment, or to disconnect the system including the faulty module and transition to a single system. do.

Second, the present invention provides an arithmetic unit that is composed of a microprocessor, a memory, an internal bus controller, etc., and manages and executes arithmetic operations and the entire $1 control, an internal bus connected to the internal bus controller, and a plant. The input/output module as an input/output interface between the two, and the input/output controller that manages the input/output module, and a certain plurality of input/output units, and at least the arithmetic unit, internal bus, and input/output controller are duplicated. In a redundant control device that constitutes two systems, there is a fault detection means for detecting a partial fault in an input/output unit, and this fault detection means detects that a partial fault has occurred in a different input/output unit in both systems. When a partial failure occurs in the same input/output unit, a duplex system is maintained using the plant human input data from the normal input/output controller of a different input/output unit, and when a partial failure is detected in the same input/output unit, the input/output of the previous input/output unit is maintained. A partial failure group n,′! that maintains a dual system that stops updating input data from the unit. It is characterized by having a corresponding means.

(Function) In the redundant control device according to the first invention, when it is detected that a partial failure has occurred in different input/output units in both systems during duplex operation, the system in which the failure has been detected is designated as a replacement for the failed unit. If the parameters are checked and it is determined that alternative use is possible, the input data of the other normal system corresponding to the failed input/output unit is used in place of the manual data of the failed input/output unit of that system. Continue redundant operation. In addition, if it is determined that alternative use of the failed unit replacement designation parameter is impossible, the system is shifted to standalone operation using only the normal system. When it is detected that a partial failure has occurred in the same input/output unit in both systems, the failed input/output unit is disconnected from the system and redundant operation is continued.

The duplex control device according to the second invention uses plant human power data from normal input/output controllers of different input/output units when it is detected that a partial failure has occurred in different input/output units in both prefectures during duplex operation. When it is detected that a partial failure has occurred in the same input/output unit, the system maintains a dual system in which manual data updates from that failed input/output unit are stopped.

Thus, according to the present invention, even if a partial failure occurs in an input/output unit, duplex operation is performed as much as possible without immediately switching to standalone operation, and only when it is determined that duplex operation is impossible, transition to standalone operation is made. Therefore, the function as a duplex control device can be fulfilled as much as possible.

(Embodiments) Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

As already mentioned, for convenience of explanation, the central processing units 2A, 2B, input/output controllers 6A1, .
6B1; 6A2, 6B2, and internal bus 8
Among A and 8B, the system with the suffix A in the n number is called A.
A system having the suffix B will be described as a B system. Further, a plurality of input/output units that constitute the duplex control device 1 and are connected to the central processing unit will be explained using unit numbers 1 to n. Furthermore, C of the A system or B system in the central processing unit constituting the redundant control device 1
The basic software installed in the PU module will be referred to as "A-system basic software" or "B-system basic software," respectively, and when the two names are not distinguished or are referred to collectively, they will be referred to as "basic software."

Now, a series of operations when the A system of the redundant control device 1 starts up will be explained.

As shown in Figure 1, when the A-based basic software is started, it first sets system parameters to support the execution of application programs stored in the ROM or non-volatile memory of the CF'U module 4A. Hardware purchasing information, application program execution environment setting information (number of functions or tasks, abortive cycle, execution priority, etc.), and system parameter items such as "unit exclusion" when each unit fails. After executing the initialization process (step A01) to set the initial state of the basic software, the central processing unit 2A is connected to the internal bus 8A.
n input/output units 31, 32, connected via
・Connection diagnosis for 3n (only 2 units 31 and 32 shown) (
Steps AO2 and A03) are performed. Diagnosis is performed by the basic software from the internal bus controller 5A to the input/output units 31 and 32 via the internal bus 8A.
0) Output a "connection request command" to the input/output controllers 6A1 and 6A2, and output the "connection request command" to the input/output controllers 6A1.
From 6A2, the "connection response command" is sent to internal bus 8.
A and the internal bus controller 5A,
The basic software installed in the CPU module 4A monitors the time until detection, and if a "connection response command" is detected within a specified time, the input/output unit is determined to be normal.

Next, all connected input/output units 31, 32...3
If n is normal, the A-system basic software outputs a "duplexing request" to the B-system basic software via the synchronous bus 9 (steps AO4, BO7).

At this time, if the duplex control device 1 is executing the solo operation in the B system, the B system basic software process shifts the operation mode from the solo operation to the duplex operation (step B
O8. AO5, AO6).

In the dual system for dual photography, data is input/output when the data of both systems match, so all of the B system operating systems are Start-up system via data synchronization bus 9 (
Transfer processing to system A) is also executed. After that, the basic software for both systems performs "output processing" (steps AO9, BO9) to the input/output units 31, 32...3n, and a plant $1 control program (application program) equivalent to relay sequence and closed loop control. "Arithmetic processing" to be executed (steps AIO, BIO), "input processing" from the input/output units 31, 32...3n (steps A17, B17), and "unit connection diagnosis" according to the present invention (steps All, Bll; A12, B1
2), “Communication of diagnosis results” (Steps A13, B13)
, "Failure processing J (steps A14 to A16, 814 to
B16) (steps AO7 to A17, BO7
- B17) are repeatedly executed.

In addition, when the redundant control device 1 is in a non-operating state, the A-system software learns that the redundant control device 1 is in a non-operational state by not detecting the "duplex response" from the B-system software, and starts a small independent operation. Input processing from input/output units 31, 32...3n (step A)
20, B20). After that, the A-system basic software performs "arithmetic processing" (step AID) that executes a plant control program (application program) equivalent to relay sequence and closed-loop control, and "input processing" from input/output units 31, 32...3n. ” (step A17), “output processing” to the input/output units 31, 32, . . . 3n (step AO9), “unit connection diagnosis” (step A11), and “failure processing” (step A14 to A16), and the processes (steps A09 to A17) including the "duplex response process" (steps AO7 and AO8) are repeatedly executed.

Each input/output unit of the basic software 31, 32...
3n "input processing" (steps A17, A20
) and "output processing" (steps AO9, BO9) are shown below.

Input/output unit 31 that controls input/output of process data
．． As the input/output control means of 32, the input/output unit 31
．． The input/output controllers 6A1, 681 to 6A2, and 6B2 constituting the 32 may have software for input/output control, or may be controlled only by hardware, but in the present invention, it does not matter which one is used. Make it not exist.

Furthermore, for the output (writing) of output data and the input (reading) of manual data in the basic software, there are means such as interrupt activation, but the present invention does not limit the means.

"Output processing" is first performed by the basic software to the input/output controllers 6A1, 6B1 to 6A2, 6B2 of each input/output unit 31.32 via the internal bus controllers 5A, 5B and internal buses 8A, 8B. The input/output controllers 6A1, 681 to 6A2, 6B2 then output the output data to the input/output modules 71, 72 via the I/O buses 101, 102. In addition, in "human processing", the basic software first performs input/output controller 1/roller 6A1, 6B1 to 6A2 of each input/output unit 31.32 via internal bus controllers 5A, 5B and internal buses 8A, 8B. .6
The input/output controller 6A1, 681 to 6A2. and sends the input data to internal buses 8A, 8B and internal bus controllers 5A. This is performed by the basic software that is in a state of waiting for input data to take in the data via the 5B.

Here, the input/output unit 31 according to the present invention. The behavior of the redundant control device 1 in the event of a failure of 32 will be described below with reference to FIG. Note that the symbols used in the processing flowchart of the basic software according to the present invention shown in FIG. 2 are as follows.

K is the connection diagnosis result of the white input/output unit 1 composed of n bits when one bit of information is provided for each input/output unit 31, 32...3n. bit information 9fi>.I indicates the unit number of the input/output unit 31, 32...3n used in the range of 1 to n.J indicates the unit number of the input/output unit used in the range of O to (n - 1). Indicates the bit position information of the connection diagnosis result (K) of the input/output unit of the system.L indicates the connection diagnosis result of the input/output unit of the other system imported via the synchronous bus 9.X indicates the connection diagnosis result of the input/output unit of the own system. The logical sum result of the connection diagnosis result (CK) of the input/output unit and the connection diagnosis result (L) of the input/output unit of another system is shown.

Y is a unit exclusion designation made up of n bits when one bit of information is provided for each input/output unit 31, 32...3n, and "O" is a unit exclusion designation. Valid, “1” indicates invalid exclusion specification. 2 is the logical sum result (X
) and the unit exclusion designation (Y).

Now, when the duplex control device 1 is performing duplex operation using the A system and the B system, one of the n input/output units 31, 32, . . . , 3n that constitute the duplex control device 1
When the A-system input/output controller of a unit (unit number mum≦n) fails, the unit number m (: d< corresponding bit is “0” (exclusion valid designation) for unit exclusion designation is a special redundant control device. The behavior of No. 1 will be explained.

When the A-system basic software detects a failure in the input/output unit with unit number m in the unit connection diagnosis process (steps SOI to SOS), it sets the m bit to "1" as the unit diagnosis result and establishes a synchronous bus in the diagnosis result communication process. 9 to the B-system software, imports the B-system unit diagnosis result, and calculates the logical sum of the self-system (A-system) unit diagnosis result and the B-system unit diagnosis result. (Steps SO9 to S12), since the bit corresponding to unit number m becomes "1", it is determined that there is a faulty unit, and the logical AND of the determination result and the unit exclusion designation is performed (steps 813 to S15). . Here, the bit corresponding to unit number m specified for unit exclusion is “
O” (Exclusion H effect designation) (Step S16: “Y”)
Therefore, the A-system basic software stops updating the input data from unit number m of the input/output unit as an exclusion manual process, and continues duplex operation with unit number m excluded. At this time, similar to the A-system basic software, the B-system basic software calculates the logical sum of the self-system diagnosis result and the A-system diagnosis result, and as a result of the exclusion input processing, the unit number of the input/output unit "from n" is calculated. Update input data,
Continue duplex operation excluding unit number m. The state at this time is shown in FIG. 5 assuming m-1.

If the corresponding unit fails multiple times during duplex operation excluding unit number m of the input/output unit,
When the system A system software detects the recovery of the input/output unit with unit number m in the unit failure diagnosis process, it sets the m bit to "O" as the unit diagnosis result and sends it to system B system via the destination bus 9 in the diagnosis result communication process. The self-system unit diagnosis result is output to the software, the B-system unit diagnosis result is taken in, and the logical sum of the self-system diagnosis result and the B-system diagnosis result is calculated (steps S09 to S12). In the A-based basic software, as a result of taking the logical sum, the bit corresponding to unit number m is '
0” (bits 0-n-1 are all “0”) (step S13: “Y”), so it is determined that there is no failure.
Shift to full redundant operation where human data for all input/output units is updated as a manual process. At this time, the B-system basic software, like the A-system basic software, calculates the logical sum of the self-system diagnosis result and the A-system diagnosis result, bits O~
Since n-1 is all '0', it is determined that there is no faulty unit, and the system shifts to full duplex operation.

Next, while the duplex control device 1 is in duplex operation using the A system and the B system, the A system input/output of one of the n input/output units (unit number mum≦n) that constitutes the duplex control device 1 is performed. The behavior of the duplex control device 1 when the controller 6A1 or 6A2 fails and the bit corresponding to the unit number m designated for unit exclusion is "1" (exclusion invalid designation) will be described.

When the A-system basic software detects a failure in the input/output unit 1 with unit number m in the unit connection diagnosis process, it sends the unit diagnosis result, m bit - "1", to the B-system via the synchronous bus 9 in the diagnosis result communication process. The self-system unit diagnosis result is output to the software, the B-system unit diagnosis result is taken in, and the logical sum of the self-system diagnosis result and the B-system diagnosis result is calculated (step S12).

The A-system basic software determines that there is a failure because the bit corresponding to the unit number m becomes "1" based on the logical sum, and then performs the AND of this judgment and the unit exclusion designation. (Step S15). Here, the bit corresponding to unit number m specified for unit exclusion is “1”.
(exclusion invalid designation), the A-system basic software further performs a logical product of the above-mentioned result and the self-system diagnosis result. As a result, the bit corresponding to unit number m is “1”
Therefore, self-system separation (step S17: "N"
), the initialization process is continued until the input/output unit with unit number m is restored. At this time, B
The system basic software calculates the logical sum of the self-system diagnosis result and the A-system diagnosis result and the logical product of the unit exclusion designation. Furthermore, a logical AND is performed with the self-system diagnosis results. As a result, the bit corresponding to unit number m is “0”
(Bits O-n-1 are all “0”), so
Shift from duplex operation to single operation (step S17:
“N”). This state is shown in FIG.

When the input/output controllers 6A1 and 6A2 that constitute the input/output unit with the unit number m of the A system recover while the redundant control device 1 is operating independently in the B system, the A system basic software is changed to the B system basic software. A "duplexing request" is outputted to the controller via the synchronous bus 9, and thereafter, the basic software of both systems shifts from single-track operation to complete duplex operation.

The above explanation focuses on the operation of the A system side, but
This is done on the B-system side in the same way as on the A-system side. B-system steps in FIG. 1 are shown with B indicating that they are B-system steps, and a numerical code corresponding to that of the A-system steps.

According to the embodiment described above, when one system is out of service, the
A simple method of parameter setting can determine whether to disconnect the failed unit and maintain redundant operation, or disconnect the entire system including the failed unit (module) and shift to standalone operation.

Judgment of these parameters, separation of units/systems as a whole, and automatic recovery are executed by the basic program.
It is possible to configure an easy-to-use device.

Next, another embodiment of the present invention will be described with reference to FIGS. 7(a) and 7(b).

Here, steps that are the same as or correspond to those described with reference to FIGS. 1 and 2 are given the same reference numerals.

In this embodiment, FIG. 7(a). As shown in (b), when the A-based software is started, the CPU
mh in the ROM or non-volatile memory of module 4A
Hardware configuration information, which is system parameters to support the execution of application programs, and application program execution environment setting information (
Funk? number of units or tasks, execution cycle, execution priority, etc.), and system parameter items such as "unit exclusion designation" when each unit fails.
After executing the initialization process (step A01) to set the initial state of the basic software, n input/output units 31, 32...3n (not shown) connected to the central processing unit 2A via the internal bus 8A are connection diagnosis (step A02) is performed for only two units). For diagnosis, the basic software 1/ware is internal bus controller 5A.
to each input/output unit 3 via internal bus 8A.
A "connection request command" is output to the input/output controller 6A1■6A2 of 1.32, and a "connection response command" is sent from the input/output controller 6A1.6A2 via the internal bus 8A and the internal hash controller 5A. This is done by monitoring the time taken until the software detects the connection, and if a "connection response command" is detected within the specified time, the person/output unit is declared normal.

Next, if all the connected input/output units 31 to 3n are normal, the A-system basic software outputs a "duplexing request" to the B-system basic software via the synchronous bus 9 (
Steps AO4, BO7).

At this time, if the duplex control device 1 is in the standalone operation in the B system, the B system basic software shifts the operation mode from the standalone operation to the duplex operation (steps BO8, BO8'
).

In a dual-operation dual-system system, data is output when the data of both systems match, so a synchronization bus for all data of the B-system operation system is required when changing the operation mode from 11 independent operation to duplex operation. The transfer process to the startup system (A system) via 9 is also executed.

After that, the basic software for both systems is input/output unit 3.
1.32..."Output processing" to 3n (step AO
9, BO9) and "arithmetic processing" (steps AIO, BIO) that executes plant control programs (application programs) equivalent to relay sequences and closed-loop control.
), input/output unit 31. "Input processing" from 32...3n (steps A29 to A31, B29 to B31
), and further repeatedly execute "unit connection diagnosis" (step A11.Bll), "r diagnosis result communication" (steps A21, A22.B21, B22), and "failure processing" (A24, 824 et seq.) according to the present invention. .

In addition, when the redundant control device 1 is in a non-operating state, the A-system software receives a "duplex response" from the B-system software.
Since the redundant control device 1 is not detected, it is learned that the duplex control device 1 is in a non-operating state, and in order to enter the independent operation operation, manual processing (step A20) from the input/output units 31, 32, . . . , 3n is executed. After that, the A-system basic software performs "arithmetic processing" (step A10) that executes a plant control program (application program) equivalent to a relay sequence or closed loop system 8, and "input processing" from the input/output units 31, 32...3n. "processing" (step A20), "output processing" to the input/output units 31, 32...3n (step AAO9), "unit connection diagnosis" (step A11), and "failure processing" (step A24) according to the present invention. ~A28) and "duplex response processing" (steps AO4 to AO8) are repeatedly executed.

Next, the behavior of the duplex control device 1 when the input/output units 31 and 32 are out of service will be explained below with reference to FIG. Note that the symbols 1, J, K, and L used in the processing flowchart of the basic software according to the present invention shown in FIG.
is the same as in FIG. 2. M is a failure unit replacement designation made up of n bits when one bit of information is set for each of n input/output units 31 to 3n; "0" indicates replacement designation is valid; 1” indicates that the alternative designation is invalid. X indicates the AND result of the connection diagnosis result (K) of the input/output unit of the own system and the failure unit replacement designation CM). Y is the connection diagnosis result of the input/output unit of the own system (
The logical AND result of K) and the connection diagnosis result (L) of the input/output unit of the other system is shown.

Now, while the duplex control device 1 is in duplex operation using the A system and the B system, one of the n input/output units 31, 32...3n (unit number m: When the A-system input/output controller 6A (m≦n) fails, the behavior of the duplex control device 1 when the bit corresponding to the unit number m of the failed unit replacement designation is “0” (alternative valid designation) will be explained.

When the A-system basic software detects a failure in the input/output unit 3m with unit number m in the unit connection diagnosis process (steps 501 to S08), the A-system basic software sets the self-system (A-system) unit diagnosis result ( K) and the failed unit replacement designation (M) are logically ANDed (X) (step 320~
S22). Since the bit corresponding to the unit number m of the failed unit replacement designation (M) is “0” (alternative valid designation), the B system unit imported via the synchronous bus 9 in the above X and other system communication processing A logical product (Y) with the connection diagnosis result (L) is taken (steps 323 to S26). here,
When the bit corresponding to unit number m becomes "1", the basic software of system A determines that unit number m of system B is normal, and uses the synchronous bus 9 in communication processing of other systems as an alternative processing power. The duplex operation using the input data corresponding to the unit number m of the B system imported through the B system is continued (step S27: "Y"). At this time, the B-system real software shows that the self-system unit connection diagnosis result (K) is “0”.
(All connected I/O units are normal), so redundant operation using the manual data of the own I/O units continues. This state is shown in FIG. 9 as m-1.

If the bit corresponding to unit number m in the operation result (Y) becomes "1", it is determined that the input/output unit with unit number m of both systems is faulty, and the basic software of both systems ml: Continue duplex operation with input data update stopped from the corresponding input/output unit (step S27: "N"). This state is shown in FIG.

During redundant operation using both systems A and B, two of the n input/output units 31 to 3n (unit numbers -m, m+1
:m+1≦n), A system input/output controller 6A
1 (unit number m) and B system input/output controller 6
When B2 (unit number m+1) fails,
The behavior of both systems when the bits corresponding to unit numbers m and m+1 of the failure unit replacement designation are “0” (substitution valid designation) is as follows: System A will behave with respect to the input data corresponding to unit number m, and System B will behave with respect to the input data corresponding to unit number m. Regarding the input data corresponding to number m+1, the redundant operation using the input data of the A system (Seido system) is continued (Step S27: “Y
). This state is shown in FIG.

A system. Diagnosis result (K) with unit connection diagnosis processing for both B series
When the failure recovery of the input/output unit is detected at "0" (step S20: "Y"), complete duplexing is performed using input data from the input/output controller 6A1.6A2.6B1.6B2 connected to the own system. Shift to driving.

Next, during the redundant operation of the A system and the B system, the input/output controller of one of the n input/output units 31 to 3n (unit number m: m≦n) that is adjacent to the A system 6A
The behavior of the redundant control device 1 when the bit corresponding to the unit number m designated as a replacement for the failed unit is "1" (invalid replacement designation) in the case where the unit 1 fails will be explained.

When the A-system basic software detects a failure in the input/output unit with unit number m during unit connection diagnosis processing, it performs a logical product of the unit diagnosis result (K) with the m bit set to “1°” and the failure unit replacement designation (M). The result (Y) is
Unit number ml of failure unit replacement designation: Since the corresponding bit is “1” (substitution invalid designation), the bit corresponding to unit number m of the above logical product and antagonist (Y) is “1”.
Therefore, self-system separation (step S23: “N”)
), the initialization process is thereafter executed until recovery of the input/output unit with unit number m is detected. At this time, since the own system diagnosis result (K) was "1", the basic software of system B used the input data from the own system's input/output controller 6B1.682 from duplex operation! 11 will shift to driving alone. FIG. 12 shows this state.

If the A-system basic software detects the duplication of the input/output unit with unit number m during standalone operation in the B-system, the A-system basic software communicates with the B-system basic software via the synchronous bus 9. A "duplexing request" is output, and thereafter, the basic software of both systems shifts from fil-only operation to complete duplexing operation.

According to the embodiment described above, when one system fails, depending on the function of each unit configuring the duplex device,
A simple parameter setting allows you to decide whether to maintain redundant operation using the data of the normal unit, maintain redundant operation with the failed unit disconnected, or transition to standalone operation with the entire system including the failed unit disconnected. It can be improved in a certain way. Judgment of this parameter, disconnection of the unit vehicle/system as a whole, and automatic recovery IE+ are executed by this program, so it is easy to use. A good device can be constructed.

〔Effect of the invention〕

As explained in detail above, as the performance of equipment increases, duplexing 1. In order to ensure high reliability and high availability in control equipment, the input/output units are differentiated when operated as a duplex system with dual operation, and in the event of a failure in one system, degenerate reconfiguration, i.e., unit disconnection allows duplex operation to continue or The transition to independent operation can be easily managed, and a system with a high degree of freedom can be realized.

[Brief explanation of drawings]

1 and 2 are flowcharts showing an embodiment of the present invention applied to the duplex control device shown in FIG. 3, FIG. 3 is a block diagram showing an example of the configuration of the duplex control device, and FIG. FIG. 5 is a block diagram showing another configuration example of the control device, and FIG. Similarly, FIG. 6 is a state diagram showing an islanding state in which the faulty system is disconnected when a partial failure occurs in one system of the redundant control device shown in FIG. 4, and FIGS. FIG. 9 is a state diagram showing a duplex operation state performed using normal system data when one system has a partial failure according to the second embodiment in the duplex control device of FIG. 3; Figure 10 is a state diagram showing a redundant operation state that is performed by isolating the failed part when a partial failure occurs at the same location in both systems, and Figure 11 shows a normal system when a partial failure occurs at different locations in both systems. State diagram showing the redundant operation state performed using data, 1st
FIG. 2 is a state diagram showing an isolated operation state in which the faulty system is disconnected when one system has a partial failure. 1... Duplex control device, 2A, 2B... Central processing unit, 31.32... Input/output unit, 4A, 4B
...CPU module, 5A, 5B...Internal bus controller, 6A1.6B1.6A2.6B2
... Input/output controller, 71.72... Input/output module, 8A, 8B... Internal bus, 9...
・Synchronous bus, 101, 102...I/O bus, 12・
...Auxiliary calculation unit. 14...CPU module/l
,, 15A, 15B... Internal bus controller.

Claims (1)

[Claims] 1. An arithmetic unit consisting of a microprocessor, memory, internal bus controller, etc., which manages and executes the entire arithmetic and control operations, an internal bus connected to the internal bus controller, and a plant. It is configured to include a plurality of input/output units consisting of an input/output module as an input/output interface between the two, and an input/output controller that manages the input/output module, and at least the arithmetic unit, internal bus, and input/output controller are duplicated. In a redundant control device that constitutes two systems, there is a module failure detection means that detects a module failure within the device, and a module that disconnects the unit containing the failed module from the system when a module failure is detected by this module failure detection means. A duplex control device comprising a selection means for selecting whether to maintain a duplex system in the remaining device portion or to disconnect a system including a failed module and transition to a single system. 2. As an input/output interface between the arithmetic unit, which is composed of a microprocessor, memory, internal bus controller, etc. and manages and executes the entire arithmetic and control operations, the internal bus connected to the internal bus controller, and the plant. and a plurality of input/output units consisting of an input/output module and an input/output controller that manages the input/output module, and at least the arithmetic unit, internal bus, and input/output controller are duplicated to form two systems. a redundant control device comprising: a fault detection means for detecting a partial fault in the input/output unit; and when the fault detection means detects that a partial fault has occurred in a different input/output unit in both systems; A duplex system is maintained using plant input data from normal input/output controllers of different input/output units, and when a partial failure is detected in the same input/output unit, input data is updated from that failed input/output unit. What is claimed is: 1. A duplex control device characterized by comprising partial failure response means for maintaining a duplex system that has been stopped.